That a client would trust the webUI of CM means that the tomcat certificate is signed with a CA that the client has in its trust store. It does however not mean anything for the other certificates mentioned, other than if you’ll get them signed by the same CA the client would have the needed certificate(s) in its trust store.

To me it would seem like a waste to use a public CA to sign these internal facing certificates, but if your willing to spend the money for it it’s your prerogative. It is after all a free world we’re living in. ‘:-)’

You can do that by Group policy for windows machines. For mobile devices you need MDM to do that.

Hi, 

Edit: My apologies, when i went through the thread again, most of the points i mentioned here is already covered. ignore if it confuse you or can ask further. unfortunately there is no delete option available. 

Others are very well explained about the process in the previous posts. just to summarize it 

you have both the options as either signed by private CA (from your internal certifying authority - generally Microsoft CA) or sign the certificates from an approved public signing authority. for the later you may incur some costs. 

in order to work the certificates, your end device should have the root certificates in its trust store. As @Nithin Eluvathingal mentioned, if you are having a windows PC, this can be doe via group policy and for the mobile devices any MDM (Mobile Device Management) such as intune for the private CA. 

For the call manager and IM&P you can generate multi san CSR so that you dont have to generate individual certificates in each nodes for tomcat. for call manager again you can generate MSAN from Publisher. similarly XMPP-CUP (MSAN) from IM&P Publisher etc.  

They have already shared the references URL for further read. 

There are few cisco live on demand videos that may be usefull to you. Please search for BRKUCC-2501 and BRKCOL-2425. 

url: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKUCC-2501.pdf 

Regards,

Regards,

You can neither download or upload private key on these systems.

Apart from this the thing that you want to do would not work anyway as you can not edit the names in the SAN as you suggested. For CCX for example there are strict limits on what it can contain.

Gentlemen,

So what you are saying is that none of the certificates for CUCM, IMP, CUC, UCCX, can be signed by Public Root CA? These service certificates need to have a Microsoft Root CA installed into the the trust store and then a web-server template on the Microsoft CA server needs to be modified for Key Usage and Enhanced Key Usage, a CSR generated for the service ( tomcat, callmanager, cup-xmpp, etc), then upload the CSR and download the certificate?

I am trying to get a 3 call managers, 1 CUC, 1 IMP, 1 UCCX secured with certificates for testing and development purposes. I will be adding Expressway soon.

I must be missing something here. This seems way too difficult and I have received mixed information through reading, talking with other engineers, Cisco TAC, Public CA's on how to actually do this. I did try using an UCC certificate from SSL.com however on examination of the certificate the key usage values do not align with what the self generated certificates create.

Thank you all for the help.

No that’s not what I wrote. You can absolutely get a CA signed certificate for all of these systems. For this you create a CSR, certificate sign request, on the system where you want the certificate. This is then sent to the CA to get a signed certificate back from them. Once you get you upload it to the certificate store on the system together with the certificate for the CA, quite often a root and intermediate certificate.

what we are saying is that it is an option to get cucm,imp,uccx signed by Public CA since they are not accessible outside the coporate network.

i have installed public CA in my cucm just to test and it trusted my cucm.